icbc aml risk-based approach (jan 2011) by bachir el nakib

AML, KYC, Risk Based Approach, and Compliance

Bachir El Nakib, CAMS

Doha Branch , 21 March 2011

04/11/23 123/4/11 1@2011 - ICBC Doha Branch

What Is Money Laundering ?

– Money Laundering is the Process of Integrating the Proceeds of Crime into the Legitimate Stream of Financial Commerce by Masking its Origin• A process to make Illegitimate Funds

Appear Legitimate

What Is Money Laundering ?

– Concealing the existence or source of income from a crime

– Disguising income from a crime so that it appears legitimate

– Knowingly assisting a criminal in moving money or other property that constitutes the proceeds of criminal activity

Some Examples of Proceeds of Activities Which Constitute Money Laundering in Qatar &

UAE are:– Drug Trafficking– Foreign Official Corruption– Embezzlement– Securities, Wire and Mail Fraud – Bribery– Terrorist Financing– Trafficking in Human Cargo– Racketeering– Arson– Foreign Smuggling & Export Control Violations– Money Derived From Predicate Crimes

Money Laundering is separate from the charges of the underlying crime(s)

Money LaunderingMoney LaunderingStages & Techniques Stages & Techniques

23/4/11 5

Trade Based Money laundering

23/4/11 7

We all share the same goals:

23/4/11 8@2011 - ICBC Doha Branch

Objectives of presentation

• Why the need to risk assess?• How to risk assess?• Objectives – V – Risk• Input and Output• Translating operational requirements into a National

Strategy• This is not a passive training session!


Financial Institutons

Insurance Companies

DNFBPs

Criminal justice system

Police

Customs

Security Services

Launderers & terrorists

Illegal Activity

Proceeds of crime

Financial Intelligence Unit

Regulators

Markets & Exchange Houses


Objectives V Risks

• Before thinking of risks we need to determine what the operational objectives of our departments are?– What we were set up to do?– What do we do well?– What do we need to do better?– What do we need to stop doing?

• Once we establish objectives then we can think of risks


The Outline of the Risk-Based Methodology


Risk Categories

Category of Risk Description

Corporate / Commercial Risks arising out of entrepreneurial or commercial activities.

Economic / Financial / Market

Risks driven by economic activity either of a region, jurisdiction or given market.

Legal / Regulatory Risks arising from legal or regulatory requirements or evolving international standards.

Organisational / Management Human

Risks presented due to limitations of human or financial resourcing.

Political / Societal Risks arising from changing political or societal expectations.

Environmental / Acts of God Risks that can materialise without the ability to influence them.

Technical / Operational / Infrastructure

Risks caused or exacerbated by resourcing or technical limitations.


Examples of Risk Identification

Objective: To travel from Al Rayyan to Doha for a meeting by bus for a meeting at a certain time.Risk Description Evaluation - Good Description?Failure to get from Al Rayyan to Doha on time for the meeting

NO, this is simply the converse of the objective

Being late and missing the meetingNO, This is a statement of impact of the risk, not the risk itself.

There is no food on the bus so I get hungry

NO, this does not impact on achievement of the objective.

Missing my lift to the bus stop causes me to miss the bus causing me to be late and miss the meeting

YES, This is a risk that can be controlled by making sure I allow plenty of time to get to the bus-stop.

Severe weather prevents the bus from running and me getting to the meeting

YES, although this is a risk which I cannot control, but against which I can make a contingency plan.


Addressing Risk - The Risk Matrix


Assessing Risk- Impact & Likelihood

• All risks need to be assessed for their impact and likelihood;– Impact

• Low – If risk materialised will not have a detrimental effect • Medium – Some damage will ensue• High – Major remediation will be required to correct

– Likelihood• Low – The risk may occur only in exceptional circumstances• Medium – Reasonable chance of occurring• High - Most likely to occur than not


Risk Tolerance Matrix


Risk Tolerance

TOLERATE The exposure may be tolerable without any further action being taken

TREAT The purpose of treatment is that whilst continuing within the

organisation with the activity giving rise to the risk, action (control) is taken constrain the risk to an acceptable level.

TRANSFER For some risks the best response may be to transfer them. This

option is particularly good for mitigating financial risks or risks to assets.

TERMINATE Some risks will only be treatable, or containable to acceptable levels,

by terminating the activity.


We need to balance different demands

19

Review account opening opportunities across business lines

Account openings

Compliance will give you a timely response so you can respond to potential clients quickly

Identify account openings that need to be escalated

Optimise riskBuild brand

Effective use of resourcesMaximise opportunities

Profitability


23/4/11 @2010 Compliance Alert 20

THE ONLY ISSUE?COMPLIANCE & REGULATORY RISK

The problem is KYC

KNOW YOUR- CUSTOMERS- CORRESPONDENTS- EMPLOYEES- SHAREHOLDERS

?23/4/11 20@2011 - ICBC Doha Branch

Know your customer: why is this needed? What does it mean?

• Risk based client classification

• How to carry out customer due diligence

• Beneficial owners of funds vs introducers

• Accounts and territories a Bank will not deal with

• Higher-risk clients - How the information will be verified and for whom, and

- The extent of identification information to be sought

- Politically Exposed Persons: what it means and why could they be

high risk?

- Entities with no transparent ownership structure – i.e. FZCs


22

Components of a Risk Based Approach

Risk Indicators Mitigating Controls

Regulatory Environment

Customer/Business Type

Geography

Product/Service/Delivery Channels

Transaction Type

Governance Structure

Policies & Procedures

Training/Communications & Awareness

Independent Testing

Increased regulatory expectations

New regulations

AMLRisk Based Approach



Compliance Process

4 Phases

Risk assessment

Risk identification

Risk Reporting

Risk Monitoring

232323/4/11 23@2011 - ICBC Doha Branch

23/4/11 24

Risk Based Approach to KYC

1. Accept or Reject business?

•Profitability

•Suitability

•Reputation Risk

•Sanctions •Suspect blacklists

Reject due to Business

Considerations

Reject due to Business

Considerations

Reject due to Sanctions

etc

Reject due to Sanctions

etc

Accept

2a. Borrowing Customers

Existing KYC Process

(BCA)

3. Risk Assessment

Manage a

s Le

vel 3

Ris

kM

anage a

s Le

vel 3

Ris

kM

anage a

s Le

vel 2

R

i sk

Manage a

s Le

vel 2

R

i sk

Manage a

s Le

vel 1

Ris

kM

anage a

s Le

vel 1

Ris

k

2b. Non-Borrowing Customers risk profiled using agreed and easy to implement filters.

3. Separate out Level 3 customers using agreed filters.

3. Impose Basic KYC only

3b. Impose Enhanced KYC

@2010 Compliance Alert23/4/11 24@2011 - ICBC Doha Branch

23/4/11 25

Risk Based Approach to KYCLevel 3

RiskLevel 3

RiskLevel 2

RiskLevel 2

RiskLevel 1

RiskLevel 1

Risk

Monitor Account Activity which requires account to be classified as Level (2) or (3)

Monitor Account Activity which requires account to be classified as Level (2) or (3)

Monitoring to identify account activity which requires account to be reclassified as Level (3)

Monitoring of transactions against customer profile on monthly basis.

Monitoring to identify account activity which requires account to be reclassified as Level (3)

Monitoring of transactions against customer profile on monthly basis.

Account Opening

Ongoing Account

Management

Monthly Review

-Monitoring of transactions against customer profile

-KYC Relationship review approved by Senior management

Monthly Review

-Monitoring of transactions against customer profile

-KYC Relationship review approved by Senior management

Enhanced KYC

-Basic KYC Plus

-Nature of business

-Origin of funds

-Purpose of account

-Type & level of activity

Enhanced KYC

-Basic KYC Plus

-Nature of business

-Origin of funds

-Purpose of account

-Type & level of activity

Basic KYC

-Evidence of Identity

-Evidence of address

- Sanctions Filtering

Basic KYC

-Evidence of Identity

-Evidence of address

- Sanctions Filtering

@2011 - ICBC Doha Branch

23/4/11 @2011 - ICBC Doha Branch 26

Why should I care about these Requirements?• Money Launderers and Terrorists seek out vulnerable banks

• The Regulator will fine the bank heavily

– Ignorance is no defense!

• FinCEN Listing Banks as Primary money laundering concern (LCB Case 10 Feb 2011)

• OFAC can and will seize customers funds

– Banco Delta Asia Ltd. Macau, Syria, Cuba, Iran, North Korea, Congo

• US, European and other banks won’t Correspond with you

– Strict Due Diligence

– Correspondent Bank Certifications

– Demand due diligence (KYCC)

• The cost of a Fine is insignificant, compared to the internal cost and loss of business.

– Restructuring, new procedures, new systems, training

– Loss of reputation

– Loss of shareholder value


Watch list Filtering• Scanning of customer records & transactions against

– Government sanction lists – OFAC, BOE, UNO etc– High risk individuals- terrorists, organized crime, fraudsters etc– Exposed individuals – PEPs, public figures, high profile– 3rd party database providers – World Compliance, Thomson, Bridger, World-Check,

Dow Jones-Factiva, Complinet, Lexis-Nexis, etc.,

• Key Issues– Character Variations– Phonetic Variations– Transliterations & cultural differences

• Using intelligent name matching algorithms with :– Normalization of names – capitals, abbreviations, spaces, punctuation– Reference libraries – common short names, cultural inputs– Reduction to simplified representation – phonetics, soundex– Indexing – decision tree– Similarity assessment – string equality, sub-sets, edit distance


The Situation

k

• High risk individuals, companies and organisations are targeting financial organisations and the countries within which they operate.

• Their very existence depends on their ability to enter your organisation or country undetected. What are the risks:

• Regulatory risk

• Reputational risk

• Business risk

• Shareholder risk

• Job risk


LOB Risk Assessment

Evaluate Assess

Evaluate inherent risks

Assess controls

Determine Develop

Monitor and enhance controls

Develop and implement

action plans

Determine residual risk/

establish thresholds

Maintain and retain records

Monitor Maintain


Risk-based Approach and the KYC Process

• Simplified Due Diligence?• Enhanced Due Diligence?

Risk-Scoring


– How do we perform risk assessment?– Do we have the right tools to do the job?– How does the risk assessment program define and

score the risks of products? Customers? And jurisdictions?

– How do we develop risk based matrices? With or without the help of outside vendors?


Know Your Customer

• ICBC is committed to know each of its customers to the extent appropriate for the customer’s risk profile

• ICBC Customer Due Diligence Measures

• Customer identification• Verifying the customers ID, reliable, independent source

documents, data and information• Establishing whether customer acting on behalf of another person• Measures if customer acting on behalf of another person• Measures if customer is a legal person or legal arrangement• Establishing beneficial ownership• Obtaining the source of customer’s wealth and funds• Obtaining information about the purpose and intended nature of

the business relationship



Enhanced Risk Assessment MethodologyConduct detailed analysis of each category

1 2 53 4

Assess Risk

Purpose of Account

Activity in Account

Nature of the business

Location Products and Services used



Simplified or Enhanced Due Diligence?

Simplified CDD Level 1 - Tick-box / Red-Flag Check

Limited CDD Level 2 - Public Record Research

Standard CDD Level 3 - Public Record Research Limited Source Enquiries

Enhanced CDD Level 4 - In-depth Public Record Research & Enquiries

Specific issues

The Risk-based approach requires a levelled approach to CDD


Main AML Risk based Approach Factors

Customer Risk Country Risk

Sector Risk Product Risk


Risk Based Approach Elements

Customer Risk•Overall background and reputation•Business interests and practices-Mgt•Business associates and

networks/ Business Link•Political Affiliations (PEPs)•Beneficial ownership and control•Source of funds

Country Risk•Political stability•Legal status•Economic situation•Standing of the financial services

industry•Exposure to organised crime and

Money laundering•Corruption

Sector Risk•Weapons and Metal trading•Precious metals•Art•Real Estate•Exchange Dealership

Product Risk•Private Banking•Correspondent Banking •Structured Finance•Commodities


RBA Matrix

• An RBA Matrix is built to:– Assess Risks– Capture identified risks– Estimate their probability of occurrence and

impact– Rank the risks based on the above

information.


• These variables may increase or decrease the risk posed by a particular customer or transaction, for example:

– The level of regulation or governance regime to which a customer is subject. (A customer is located in a high regulated jurisdiction poses less risk than a customer located in a low risk jurisdiction)

– Type of the entity: publicly owned entities pose less risk than private entities

– The use of intermediate = Anonymity


Case Study – Results of Risk-Scoring

Customer Risk

•Overall background and

reputation•Business interests and practices•Business associates and

networks•Political Affiliations (PEPs)•Beneficial ownership and control•Source of funds

Country Risk

•Known of weak AML rules •Known of terrorist financing,

Smuggling & other money

laundering activities

Sector Risk

•Real Estate

Product Risk

•Structured Finance•Complex transaction


Case Study – Results of Risk-Scoring

Enhanced CDD – Level 4

Simplified CDD Level 1 - Tick-box / Red-Flag Check

Limited CDD Level 2 - Public Record Research

Standard CDD Level 3 - Public Record Research Limited Source Enquiries

Enhanced CDD Level 4 - In-depth Public Record Research & Enquiries

Specific issues

The Risk-based approach requires a levelled approach to CDD


ActionsImpact

Analysis

Risk Response (controls)

Quality of Risk

Customer Risk

Geographic Risk

Product and Service Risk

Quantity of Risk

Response Effectiveness

Analysis

Identify Risk Categories

Assess Quantity of Risk Assess Quality of Risk Action Plans

Enhanced Risk Assessment Methodology

Identify specific risks categories


42

Customer Risk Matrix

Products/Services Used

Customer Type Deposit Account

UnsecuredLoan/CreditCards

Wire Transfer PrivateBanking

Trust Services

PEP Moderate Moderate High Highest Highest

High Net Worth Moderate Moderate High Highest Highest

High Risk Nationality Moderate Moderate High High High

High Risk Industry Moderate Moderate Moderate Moderate Moderate

Cash Intensive Business

Normal Moderate High Moderate Moderate

Salaried Employee Normal Normal Normal Normal Normal

Independent Consultant/Individual Entrepreneur

Moderate Normal Normal Normal Normal

Unemployed Moderate Moderate Moderate Moderate Moderate

Charity Moderate High High High High23/4/11 @2011 - ICBC Doha Branch

43

Account Opening Policies

Customer Risk Rating Applicable Policies

Normal Presentation of valid original identity documentsEstablish purpose of accountEstablish source of fundsRetain copiesCheck against UN and other watch lists

Moderate Above plus …Send registered letter to customer at provided address. Retain signed return receipt.

High Above plus …Independent verification of account opening documentsVerification of source of fundsInterview with bank officerVisit by bank officer to customer home/businessApproval from branch managerUpdating of account information/documents every twelve months

Highest Above plus …Updating of account documents every six monthsApproval from CEO23/4/11 @2011 - ICBC Doha Branch

44

Transaction Type Risk MatrixCustomer Risk Rating

Offshore Wire Transfer

Wire Transfer to High Risk Jurisdiction

Cash deposit under threshold/structuring transactions

Large Cash Deposit

Forex Early Loan Repayment

Normal Standard Standard Standard Enhanced Standard Standard

Moderate Enhanced Enhanced Enhanced Enhanced Enhanced Enhanced

High Severe Severe Enhanced Enhanced Enhanced Enhanced

Highest Severe Severe Severe Enhanced Enhanced Enhanced

23/4/11 @2011 - ICBC Doha Branch

45

Transaction Execution/Monitoring Policy

Transaction Risk Rating Applicable Policies

StandardTeller/staff monitoringAutomated system monitoring

EnhancedCustomer explanation for transactionCompliance Officer Approval for execution

SevereCEO Approval for execution

23/4/11 @2011 - ICBC Doha Branch


http://www.facebook.com/photo.php?pid=3933283&id=654913990

© January 2003, kd labs ag, analytical CRM and data mining

Data analysis

1 2

patterns

3

Se

lf-h

isto

ry

Pe

er

gro

up

s

Lin

k A

na

lysi

s

rules

exp

ert

s,re

gu

latio

ns

names

Bla

cklis

ts,

PE

P‘s

, e

tc.

Overview

Bank'stransactions& customers

data

!Alertdelivery

Admin Client

User Interfaces

WorkflowClient

datarepository

externaldata


Helmuth Fuchs

Farblich zeigen, dass kdprevent die Gesamtlösung bietet (mit Schnittstellen)


Risk: Customer/Business TypeIdentifying PEPs

How do you determine whether an account holder is a PEP?

• Seek information directly from the individual

• Review sources of income including past and present employment history and references form professional associates

• Review public sources of information (i.e. databases, newspapers, etc.)

• CIAs online directory of “Chiefs of State and Cabinet Members of Foreign Governments” http://www.odci.gov/cia/publications/chiefs/index.html

• Transparency International Corruption Perceptions Index

• Private vendors (i.e. world Compliance/ Regulatory DataCorp (RDC), Factiva, and WorldCompliance)


http://www.odci.gov/cia/publications/chiefs/index.html


Risk: Customer/Business TypeIdentifying PEPs (Cont.)

FATF Recommendations for PEPs:

Determine whether a customer is a PEP

Obtain senior management approval for establishing relationship

Establish source of wealth of funds

Conduct ongoing monitoring of relationship


Assessing AML Risk by Jurisdiction

CorruptionSanctions

Black list status e.g tax haven

International Cooperation e.g OECD, UN Non-Cooperation status

RISK



Case Study: The United Nations

A FAMILY-RUN BUSINESS


• Son of Kofi Annan (Secretary General-UN) from first marriage

Kofi Annan

Kojo Annan

Case Study: The United Nations

• Worked for SGS/Cotecna (given UN deal to enforce sanctions in Iraqi ports)

• Moved on to start own company, Sutton Investments

Leo Mugabe

• Sutton part of consortium with Air Harbour Technologies & Leo Mugabe (nephew of Robert Mugabe, Pres of Zimbabwe)

Hani Yamani

• Air Harbour owned by Hani Yamani (son of Sheikh Yamani, Saudi Oil Min.)• Consortium won bid valued in $100s of millions to build Zimbabwe airport

Kojo Amoo

• Kojo Amoo-Gottfried, Ghana Ambassador to UN (nephew of Kofi)

http://images.google.com/imgres?imgurl=www.zimsoccer.com/images/zifa/leo_mugabe.jpg&imgrefurl=http://www.zimsoccer.com/zifa_executive.asp&h=150&w=103&prev=/images?q=leo+mugabe+&svnum=10&hl=en&lr=&ie=UTF-8&sa=N

Test your AML KnowledgeTest your AML Knowledge


Knowledge TestKnowledge Test

Q: Which of the following is the most common method of laundering money through a legal money services business?

A. Purchasing structured money instrumentsB. Smuggling bulk-cashC. Transferring funds through Payable Through accounts (PTAs)D. Exchanging Colombian pesos on the black market

Correct Answer is: ACorrect Answer is: A



Q: In general, the three phases of money laundering are said to be: Placement

A. Structuring and manipulationB. Layering and integrationC. Layering and smurfingD. Integration and infiltration

Correct Answer is: BCorrect Answer is: B



Q: Which of the following is an indication of possible money laundering in an insurance industry scenario?

A. Insurance products sold through intermediaries, agents or brokersB. Single-premium insurance bonds, redeemed at a discountC. Policyholders who are unconcerned about penalties for early cancellationD. Policyholders who make full use of the “free look” period

Correct Answer is: CCorrect Answer is: C



Q: Upon receipt of a legal document where the financial institution is asked by a government authority to produce account information and records, what is the recommended first step for the institution?

A. Review the legal document and answer the authorities within 72 hours.B. Research all the account information within the institution on the account holder.C. File a suspicious activity report, if possible.D. Contact the institution’s Compliance Officer or legal counsel.

Correct Answer is: DCorrect Answer is: D



Q: Money Laundering refers to

A. Transfer of assets/cash from one account to anotherB. Conversion of illegal money through banking channelsC. Conversion of cash into gold for hoardingD. Conversion of assets into cash to avoid income tax




Q: Minimum retention period of the records according to Jammal Trust Bank that can be produced to the relevant Regulatory Authority in case of suspicious transactions is

A. 5yearsB. 7 yearsC.10 yearsD.15 years




Q: The following can be called as suspicious transactions

A. Customer insisting on anonymity.B. Work address difference from place of residency.C. Unusual terminating of account and refunds of interestD. All of the above




Q: Which of the following documents can be accepted as proof of customer identification.

A. Electricity billB. Salary slipC. Gym MembershipD. Government Issued Photo ID




Q: Salaried employees, Government departments are classified as

A. High RiskB. Low RiskC. Medium RiskD. No Risk




Q: PEPs (Politically Exposed Persons) & High Net Worth individuals could be classified as

A. High RiskB. Low RiskC. Medium RiskD. No Risk




Q: What are the money laundering risks to organizations?

A. Reputation RiskB. Compliance RiskC. Operational RiskD. Legal Risk




OFAC: Office of Foreign Assets & Control lists: Specially Designated Nationals Weapons of Mass Destruction Blocked Countries

BIS: Bureau of Industry & Security - Issued by the United States

BOE: Bank of England

CSSF: Commission de Surveillance du Secteur Financier-Luxembourg

SECO: Secretariat d’Etat a l’economie – Switzerland

UN: United Nations: Al-Qaida & Taliban; Iraq; Liberia

MAS: Monetary Authority of Singapore

EU: EU Regulations

FATF: Financial Action Task Force

Other: Vendor (i.e. SIDE-OFAC/World Check Lists) and internal Lists

Risk: Customer/Business TypeExamples of Black Lists


Risk-Based Customer

Due Diligence

Investigations & Reporting

Customer Transactions

Single Customer View Data

Independent Audit

Training/Self Testing

Wri

tten

Pro

ced

ure

s

AML Risk Assessment Risk Profile

Pro

ject P

lann

ing

/Exe

cutio

nP

oli

cies

Corporate Governance

Pro

gram

Man

agem

en

tBest Practices Framework



Summary

– Risk-scoring defines the level of CDD required

– Beneficial Ownership and PEPs are key

– Advantages:

• Institutions can mitigate their own risk exposure through the risk-based approach and risk exposure

• Risk-Scoring also enables institutions to develop benchmarks and risk rating parameters

Primary objective is profit maximisation but we place high importance on client care & other aspects of compliance.

There are multiple assurances of this in the firm…….



THANK YOU

icbc aml risk-based approach (jan 2011) by bachir el nakib

Economy & Finance